polymarket-weather-trader
Warn
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill requires users to provide their Polymarket wallet private key via the
WALLET_PRIVATE_KEYenvironment variable. This is a high-risk credential that allows full control over the user's funds. While the skill indicates thesimmer-sdkuses this key for client-side transaction signing, storing it in an environment variable is a security risk.\n- [EXTERNAL_DOWNLOADS]: The skill depends on thesimmer-sdkPython package, which is an external dependency downloaded from a non-whitelisted registry. This package handles the core trading logic and sensitive credential processing.\n- [COMMAND_EXECUTION]: The skill is designed to be run as a CLI tool (weather_trader.py) and provides additional utility scripts (scripts/status.py) for account management, both of which perform network operations and financial transactions.\n- [DATA_EXFILTRATION]: The skill makes network requests toapi.simmer.marketsto transmit order data and fetch account state. It also communicates with the National Oceanic and Atmospheric Administration (NOAA) API atapi.weather.govto retrieve forecast data.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through external data sources. It processes weather forecasts from NOAA and market metadata from the Simmer API, which could potentially contain malicious instructions. The risk is significantly reduced by the skill's use of structured parsing (regular expressions and numeric type casting) before the data influences program flow.\n - Ingestion points: NOAA API forecast periods and Simmer API market outcome names.\n
- Boundary markers: Absent; the skill does not use specific delimiters or instructions to ignore embedded commands in the fetched data.\n
- Capability inventory: The skill can execute trade orders and sell positions on Polymarket through the Simmer API.\n
- Sanitization: Present; the skill uses regular expressions to extract specific temperature values and dates, and converts these values to floats or integers for comparison logic.
Audit Metadata